local

package
v0.78.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

Package local is the backend's built-in user management -- the auth path for deployments without an external IdP, coexisting with auth/oidc behind auth.Multi. Users live in the document store (argon2id password hashes); access tokens are short-lived Ed25519-signed JWTs from the service's own issuer; refresh tokens are opaque, stored hashed with TTL, and rotate on every use.

Index

Constants

This section is empty.

Variables

View Source
var ErrBadCredentials = errors.New("local: bad credentials")

ErrBadCredentials covers unknown user and wrong password identically, so login responses cannot be used to probe for accounts.

View Source
var ErrLastAdmin = errors.New("local: cannot remove the last admin")

ErrLastAdmin refuses removing the deployment's only admin -- by demotion or deletion -- because no supported path could restore administration afterwards (tasks/207).

View Source
var ErrRateLimited = errors.New("local: rate limited")

ErrRateLimited reports too many recent login failures for the account.

View Source
var ErrUserExists = errors.New("local: user exists")

ErrUserExists reports a create against an existing email.

View Source
var ErrUserNotFound = errors.New("local: user not found")

ErrUserNotFound reports an operation on an unknown email.

Functions

This section is empty.

Types

type Service

type Service struct {
	// contains filtered or unexported fields
}

Service implements built-in users and auth.TokenVerifier for its own issued tokens.

func New

func New(st store.Store, key ed25519.PrivateKey, issuer string) (*Service, error)

New wires the service. issuer must be unique among the deployment's configured issuers (auth.Multi dispatches on it); key signs access tokens.

func (*Service) Bootstrap

func (s *Service) Bootstrap(ctx context.Context, spec string) (restored bool, err error)

Bootstrap ensures a first admin exists, from a "email:password" spec (LCATD_BOOTSTRAP_ADMIN). Safe to run on every boot: an existing user is a no-op UNLESS they lack the admin role, in which case admin is re-granted (restored=true) -- the documented recovery hatch must actually recover a demoted bootstrap admin, not silently do nothing (tasks/207).

func (*Service) CreateUser

func (s *Service) CreateUser(ctx context.Context, email, name, password string, roles []auth.Role) error

CreateUser adds a user with the given roles.

func (*Service) DeleteUser

func (s *Service) DeleteUser(ctx context.Context, email string) error

DeleteUser removes a user (their refresh tokens die at next use). Deleting the deployment's only admin is refused (tasks/207).

func (*Service) GetUser added in v0.59.0

func (s *Service) GetUser(ctx context.Context, email string) (UserInfo, error)

GetUser returns one user's public info.

func (*Service) Issuer

func (s *Service) Issuer() string

Issuer returns the service's issuer string for auth.Multi registration.

func (*Service) ListUsers

func (s *Service) ListUsers(ctx context.Context) ([]UserInfo, error)

ListUsers returns all users, email-ordered.

func (*Service) Login

func (s *Service) Login(ctx context.Context, email, password string) (Tokens, error)

Login checks credentials and issues tokens. Failures count toward a per-account hourly cap.

func (*Service) Logout

func (s *Service) Logout(ctx context.Context, refreshToken string) error

Logout retires a refresh token.

func (*Service) Refresh

func (s *Service) Refresh(ctx context.Context, refreshToken string) (Tokens, error)

Refresh rotates a refresh token: the presented token is retired and a new pair is issued. A reused (already-rotated) token fails.

func (*Service) SetClock

func (s *Service) SetClock(now func() time.Time)

SetClock overrides the clock (tests).

func (*Service) SetPassword

func (s *Service) SetPassword(ctx context.Context, email, password string) error

SetPassword replaces a user's password.

func (*Service) SetRoles

func (s *Service) SetRoles(ctx context.Context, email string, roles []auth.Role) error

SetRoles replaces a user's roles. Removing admin from the deployment's only admin is refused (tasks/207); the read-then-write window between two concurrent demotions of two different admins is accepted -- the guard targets the fat-fingered single request, not a coordinated race.

func (*Service) Verify

func (s *Service) Verify(ctx context.Context, raw string) (auth.Identity, error)

Verify implements auth.TokenVerifier for the service's own access tokens.

type Tokens

type Tokens struct {
	AccessToken  string `json:"accessToken"`
	RefreshToken string `json:"refreshToken"`
	ExpiresIn    int    `json:"expiresIn"`
}

Tokens is a successful login/refresh result.

type UserInfo

type UserInfo struct {
	Email     string      `json:"email"`
	Name      string      `json:"name,omitempty"`
	Roles     []auth.Role `json:"roles"`
	CreatedAt time.Time   `json:"createdAt"`
}

UserInfo is the admin-facing view of a user (no credentials).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL